b"SEC.gov |  Security of External Databases\nSearch SEC Documents\nCompany Filings | More Search Options\nSkip to Main Content\nAbout\nWhat We Do\nCommissioners\nSecurities Laws\nSEC Docket\nReports\nCareers\nContact\nDivisions\nCorporation Finance\nEnforcement\nInvestment Management\nEconomic and Risk Analysis\nTrading and Markets\nNational Exam Program\nAll Divisions and Offices\nEnforcement\nLitigation Releases\nAdministrative Proceedings\nOpinions and Adjudicatory Orders\nAccounting and Auditing\nTrading Suspensions\nHow Investigations Work\nAdministrative Law Judges\nRegulation\nProposed Rules\nFinal Rules\nInterim Final Temporary Rules\nOther Orders and Notices\nSelf-Regulatory Organizations\nStaff Interpretations\nEducation\nInvestor.gov\nCheck Out a Broker or Adviser\nInvestor Alerts and Bulletins\nFast Answers\nFile a Tip or Complaint\nPublications\nFilings\nEDGAR Search Tools\nCompany Filings Search\nHow to Search EDGAR\nRequesting Public Documents\nDescriptions of Filing Types\nInformation for Filers\nAbout EDGAR\nNews\nPress Releases\nPublic Statements\nSpeeches\nTestimony\nSpotlight Topics\nWhat's New\nNews Digest\nEvents\nWebcasts\nSpecial Studies\nSecurity of External Databases\nInspector General\nAbout OIG Office of Audits Office of Investigations Semiannual Reports Testimony Other Publications References Links Relevant FOIA Documents Contact Us\nThis document is an HTML formatted version of a printed document.\nThe printed document may contain agency comments, charts, photographs,\nappendices, footnotes and page numbers which may not be reproduced in this\nelectronic version.  If you require a printed version of this document\ncontact the United States Securities and Exchange Commission, Office of\nInspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C.\n20549 or call (202) 942-4460.\nAUDIT MEMORANDUM No. 25\nNovember 7, 2002\nTo: Kenneth FogashJonathan KatzCynthia PlischJames McConnell\nFrom: Walter Stachnik\nRe: Security of External Databases\nACCOUNT CANCELLATION AND PASSWORD SHARING\nBased on information provided by the Library, we recently found that the Dow Jones Interactive account of a former Commission employee had incurred extensive charges.  The account had not been cancelled timely when the employee left the agency.\nWe also found that co-workers in the former employee's office shared their passwords, in the belief that the Commission paid a flat fee for the service.\n1Therefore, the actual user(s) of the Dow Jones account could not be identified.\nBesides Dow Jones Interactive (with 1472 users), Commission staff use a variety of external databases.   The Lexis/Nexis service is the most widely used, with about 2770 total users.\nWe subsequently reviewed a June 2002 Lexis/Nexis listing of active users.  The listing included four former employees with active accounts.  We provided their names to the Office of Information Technology (OIT) for cancellation.\nOIT issued updated Operating Procedures for Lexis/Nexis on July 24, 2002, which should enhance access controls.  Under the new procedures, each office's service coordinator (\ni.e.\n, the Administrative Contact) is responsible for adding and canceling users, rather than OIT.  Since administrative contacts deal directly with new and departing employees, they are in a better position than OIT to ensure that user accounts are current.\nAs an additional control, OIT will send the administrative contacts a listing of authorized users every six months.  The contacts will then be expected to review the listing and make sure that only authorized users have accounts.  OIT has posted the updated procedures on the Intranet, but has not yet informed administrative contacts about them.\nThe Library has developed a proposal to further improve password management for external databases such as Lexis/Nexis.  The proposal includes training of users, and development of policies and procedures for password management.  To implement the proposal, additional staff will be required, according to the Library.\nRecommendation A\nThe Office of Information Technology should inform administrative contacts regarding the updated procedures for external database password management (\ne.g.\n, by an e-mail or written memorandum).\nRecommendation B\nThe Library (in the Office of the Secretary) should make a budget request for the staff needed to implement its proposal described above.\nDOWNLOADING REPORTS\nAccording to the Library staff, some employees designate their personal e-mail accounts (such as Yahoo Hotmail) for downloading of Lexis/Nexis reports.   Commission policy is that personal accounts should not be accessed at work, since the access poses a security risk.  Moreover, employees working at home can now access their Commission e-mail from home, so use of personal e-mail accounts for Lexis/Nexis reports is unnecessary.\nRecommendation C\nIn its user training (see above), the Library should tell users that Lexis/Nexis reports should be sent to their government e-mail account, not their personal account.\ncc:\nMark Brickman                                                                                                                    George Eckard                                                                                                                            Gene Johnson                                                                                                                           Darlene Pryor                                                                                                                              Mark Radke                                                                                                                           Jayne Seidman                                                                                                                           Derek Scarbrough\nFootnotes\n1  Under the Dow Jones and Lexis/Nexis contracts administered by the Library, the Commission does pay a flat fee annually.  However, usage above a defined amount increases the charge for the following year.  The fiscal year 2003 Lexis/Nexis contract limits usage to authorized users and specifically prohibits password sharing.  In addition, password sharing violates Commission policy and compromises information technology security, which is a general responsibility of the Office of Information Technology.\nSite Map\nAccessibility\nContracts\nPrivacy\nInspector General\nAgency Financial Report\nBudget & Performance\nCareers\nContact\nFOIA\nNo FEAR Act & EEO Data\nWhistleblower Protection\nOpen Government\nPlain Writing\nLinks\nInvestor.gov\nUSA.gov\nU.S. Securities and Exchange Commission\nABOUT\nDIVISIONS\nENFORCEMENT\nREGULATION\nEDUCATION\nFILINGS\nNEWSROOM\nInspector General\nAbout OIG\nOffice of Audits\nOffice of Investigations\nSemiannual Reports\nTestimony\nOther Publications\nReferences Links\nRelevant FOIA Documents\nContact Us"